juneau-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig Russell <apache....@gmail.com>
Subject Re: Quick question...checksums?
Date Mon, 17 Sep 2018 18:54:51 GMT
tldr;

Generating SHA512 or SHA256 is now required. Generating SHA1 and/or MD5 is now allowed "for
a good reason".

more below...

> On Sep 17, 2018, at 11:33 AM, Joey Frazee <jfrazee@apache.org> wrote:
> 
> The interpretation of SHOULD NOT here, according to the RFC [1], is weaker than what
most people think:
> 
> "SHOULD NOT[:] This phrase, or the phrase 'NOT RECOMMENDED' mean that there may exist
valid reasons in particular circumstances when the particular behavior is acceptable or even
useful, but the full implications should be understood and the case carefully weighed before
implementing any behavior described with this label."
> 
> The obligation is to ship SHA-256 or SHA-512, not that you can’t release a release
that has MD5 or SHA-1 somewhere or other.

Yes. 

> In particular, one reason to include MD5 is so Nexus doesn’t keep you from closing
the repo.

Yes.

With Juneau's release process is there a good reason to continue to generate SHA1? [Other
projects have downstream release consumption processes that require SHA1.]
> 
> In light of all that, I think it’s ok to include the files, provided that the verification
instructions only reference SHA-256 or SHA-512, and it’s probably prudent to not link the
files from the download page.

Yes. The files to not link to are the aforementioned SHA1 and MD5.
> 
> If LEGAL has decided otherwise then the release instructions need to be updated to MUST
NOT.

Good summary, Joey.

Craig
> 
> 1. https://www.ietf.org/rfc/rfc2119.txt <https://www.ietf.org/rfc/rfc2119.txt>
> 2. https://www.apache.org/dev/release-distribution <https://www.apache.org/dev/release-distribution>
> On Sep 17, 2018, 1:01 PM -0500, Gary Gregory <garydgregory@gmail.com>, wrote:
>> On Mon, Sep 17, 2018 at 11:59 AM Gary Gregory <garydgregory@gmail.com <mailto:garydgregory@gmail.com>>
wrote:
>> On Mon, Sep 17, 2018 at 11:52 AM James Bognar <jamesbognar@apache.org <mailto:jamesbognar@apache.org>>
wrote:
>> I think I'm confused.
>> 
>> The checksums in the release are "*.md5" and "*.sha1":
>> https://repository.apache.org/content/repositories/orgapachejuneau-1022/org/apache/juneau/juneau-all/7.2.0/
<https://repository.apache.org/content/repositories/orgapachejuneau-1022/org/apache/juneau/juneau-all/7.2.0/>
>> 
>> Are the "*.sha1" files using SHA-1 or SHA-256/512?  I can't tell other than by the
file names.
>> 
>> That's the only way you can tell from all the Apache releases I've seen. The extension
.md5 means MDA and .sha1 means SHA-1. You can tell in the SHA files if it's from SHA-256,
SHA-512, or something else by the length of the checksum.
>> 
>> For example: https://archive.apache.org/dist/commons/lang/binaries/commons-lang3-3.8-bin.zip.sha256
<https://archive.apache.org/dist/commons/lang/binaries/commons-lang3-3.8-bin.zip.sha256>
>> 
>> Gary 
>> 
>> Gary
>>  
>> 
>> Our keys are here:
>> https://people.apache.org/keys/group/juneau.asc <https://people.apache.org/keys/group/juneau.asc>
>> 
>> 
>> 
>> On Mon, Sep 17, 2018 at 1:25 PM Gary Gregory <garydgregory@gmail.com <mailto:garydgregory@gmail.com>>
wrote:
>> You must NOT ship SHA1! Only SHA-256 or 512.
>> 
>> Gary
>> 
>> On Mon, Sep 17, 2018 at 11:21 AM James Bognar <jamesbognar@apache.org <mailto:jamesbognar@apache.org>>
wrote:
>> I believe they mentioned on the general mailing list that you only need to ship SHA-1
checksums and not ASC or MD5.  Can I get a quick confirmation on that?

Craig L Russell
Secretary, Apache Software Foundation
clr@apache.org <mailto:clr@apache.org> http://db.apache.org/jdo <http://db.apache.org/jdo>

Mime
View raw message